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IN THE CLAIMS 

1. (currently amended) A method of detecting an intrusion in a communications 
network, the method comprising the steps of: 

a) accessing, bv a network intrusion detection process of a target computer 

system, communication to an application receive queue (ARQ) for an application 
running in an application layer of the target computer system, wherein the ARQ 
functions intermediate the application layer and a transport layer of a network protocol 
associated with said communications network to receive data packets for the 
application from the transport layer; 

b) scanning for the application bv the network intrusion detection process only 
the data packets accessed bv the network intrusion detection process in a). f Hfiret 
computer system to wh i ch w herein the data packets are directed to the application from 
a remote host via the communications network , and w herein the scanning is after 
i nc l udes the computer system process i ng the data packets have been processed by 
the a -transport laye r of a network protoco l assoc i ated w i th sa i d commun i cat i ons 
networ k and after the transport layer has passed the processed data packets for receipt 
bv the application's ARQ: us i ng s i gnatures from a repos i tory of sa i d s i gnatures: 

c) _determining if said scanned data packets are malicious; and 

d) taking at least one action to prevent the application from processing data 
packets from the remote host to the application ^responsive to c) determining that any 
of the scanned data packets are determ i ned to be malicious/r- 

where i n at l east one app li cat i on rece i ve queue (ARQ) funct i ons i ntermed i ate sa i d 
transport l ayer and an app li cat i on l ayer of the first computer system to prov i de a queue 
for data from the data packets to a f i rst appl i cat i on on the f i rst computer system, 
where i n the scann i ng of the respect i ve data packets occurs before the f i rst app li cat i on 
rece i ves the data from the respect i ve data packets, and where i n sa i d scann i ng step i s 
se l ected from the group cons i st i ng of: 

scann i ng between sa i d transport l ayer and sa i d at l east one ARQ; and 

scann i ng the data packets from sa i d at l east one ARQ. 
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2. (currently amended) The method according to claim 1 , wherein said at least 
one action includes terminating the application, i s so l cctcd from the group cons i st i ng of: 

i nterrupt i ng transm i ss i on of any data packets determ i ned to be ma li c i ous 
to sa i d app li cat i on l ayer of sa i d network protoco l , where i n the i nterrupt i ng i s 
performed pr i or to the f i rst app l icat i on process i ng the ma li c i ous data packets; 

l ogg i ng of errors re l ated to any data packets determ i ned to be ma li c i ous; 

mod i fy i ng f i rewa ll ru l es of a host computer i f any data packets arc 
determ i ned to be ma li c i ous; 

i nform i ng a network adm i n i strator of any data packets that arc determ i ned 
to be ma li c i ous; 

i nt i mat i ng sa i d transport l ayer term i nate an ex i st i ng connect i on re l ated to 
any data packets determ i ned to bo ma li c i ous; 

b l ock i ng network access to a source of any data packets determ i ned to be 

term i nat i ng the f i rst app li cat i on i f any data packets arc dotorm i ncd to be 

not i fy i ng an app li cat i on of an app l icat i on l ayer i f any data packets arc 
determ i ned to be ma li c i ous. 

3. (original) The method according to claim 1 , further comprising the step of 
transmitting to said application layer any data packets determined not to be malicious. 

4. (original) The method according to claim 1 , wherein said scanning and 
determining steps are implemented using a scan module. 

5-6. (canceled) 

7. (currently amended) The method according to claim 1 , further comprising the 
step of obtaining data from said at least one ARO _app li cat i on rece i ve queue (ARQ). 
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8. (canceled ) 

9. (original) The method according to claim 1 , further comprising the step of 
dispatching said data packets to one or more handlers for scanning, if said protocol is 
monitored. 

10. (original) The method according to claim 1, wherein said scanning and 
determining steps are implemented using a scan daemon. 

1 1 . (previously presented) The method according to claim 1 , further comprising 
the step of the target computer system generating fake, network-accessible services. 

12. (withdrawn) A method of preventing an intrusion in a communications 
network, the method comprising the steps of: 

disabling a network interface of a host if an idle time expires; 
determining if any packets are to be transmitted; and 
enabling said network interface if at least one packet is determined to be 
available to be transmitted. 

13. (currently amended) A target computer system for detecting an intrusion 
originating from a remote host and communicated to the target computer system via m 
a communications network, the target computer system comprising: 

a storage unit for storing data and instructions for a processing unit; and 
a processing unit coupled to said storage unit, said processing unit being 

programmed to perform steps responsive to the instructions, wherein the steps 

comprise: 

scan data packets by a f i rot computer system to wh i ch the data packets arc 
d i rected, where i n the scann i ng i nc l udes the computer system process i ng the packets 
by a transport l ayer of a network protocol assoc i ated w i th sa i d commun i cat i ons network 
us i ng s i gnatures from a repos i tory of sa i d s i gnatures, to determ i ne i f sa i d scanned data 
packets arc ma li c i ous, and to take at l east ono act i on i f any of the data packets arc 
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determ i ned to be ma li c i ous, where i n at l oaGtono opp li cot i on rece i ve queue (ARQ) 
funct i ons i ntermed i ate sa i d transport l ayer and an app li cat i on l ayer of the f i rst computer 
system to prov i de a queue for data from the data packets to a f i rst app li cat i on on the 
f i rst computer system, where i n the scanning of the respect i ve data packets occurs 
before the f i rst app li cat i on rece i ves the data from the respect i ve data packets, and 
where i n sa i d scann i ng step i s se l ected from the group cons i st i ng of: 

scann i ng between sa i d transport l ayer and sa i d at l east one ARQ; and 

scann i ng the data packets from said at least one ARQ. 

a) accessing, by a network intrusion detection process of the target computer 

system, communication to an application receive queue (ARQ) for an application 
running in an application layer of the target computer system, wherein the ARQ 
functions intermediate the application layer and a transport layer of a network protocol 
associated with said communications network to receive data packets for the 
application from the transport layer: 

b) scanning for the application by the network intrusion detection process only 

the data packets accessed by the network intrusion detection process in a), wherein 
the data packets are directed to the application from the remote host via the 
communications network, and wherein the scanning is after the data packets have 
been processed bv the transport laver and after the transport laver has passed the 

processed data packets for receipt by the application's ARQ: c) determining if 

said scanned data packets are malicious: and 

d) taking at least one action to prevent the application from processing the data 

packets from the remote host to the application responsive to c) determining that any of 
the scanned data packets are malicious. 

14. (currently amended) The system according to claim 13, wherein said at least 
one action includes terminating the application, i s se l ected from the group cons i st i ng of: 

i nterrupt i ng transm i ss i on of any data packets determ i ned to be ma li c i ous to sa i d 

app li cat i on l ayer of sa i d network protocol, where i n the i nterrupt i ng i s performed pr i or to 

the f i rst app li cat i on process i ng the ma li cious data packets; 

l ogg i ng of errors re l ated to any data packets determ i ned to be ma li c i ous; 
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mod i fy i ng f i rewa ll ru l es of o hoot computer i f any data pockets ore determ i ned to 

be ma li c i ous; 

i nform i ng a network adm i n i strator of any data packets that arc determ i ned to be 

itiqI iciouG, 

i nt i mat i ng sa i d transport l ayer term i nate on ex i st i ng connect i on re l ated to any 

data packets determ i ned to be ma li c i ous; 

b l ock i ng network access to a source of any data packets determ i ned to be 

term i nat i ng the f i rst app li cat i on if any data packets arc determ i ned to be 

ma li c i ous; and 

not i fy i ng an app li cat i on of an app li cation l ayer i f any data packets arc 

determ i ned to be ma li c i ous. 

15. (original) The system according to claim 13, wherein said processing unit is 
programmed to transmit to said application layer any data packets determined not to be 
malicious. 

16. (original) The system according to claim 13, wherein said processing unit is 
programmed to implement a scan module. 

17-18. (canceled) 

19. (currently amended) The system according to claim 13 , wherein said 
processing unit is programmed to obtain data from said at least one ARO _app li cat i on 
rece i ve queue (ARQ). 

20. (currently amended) The system according to claim 19, wherein said 
scanning is performed on data packets from said at least one_ARC L app li cat i on rece i ve 
queue (ARQ). 

21 . (original) The system according to claim 13, wherein said processing unit is 
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programmed to dispatch said data packets to one or more handlers for scanning, if said 
protocol is monitored. 

22. (original) The system according to claim 13, wherein said scanning and 
determining are implemented using a scan daemon. 

23. (previously presented) The system according to claim 13, wherein said 
processing unit is programmed to generate fake, network-accessible services. 

24. (withdrawn) A system of preventing an intrusion in a communications 
network, the system comprising: 

a storage unit for storing data and instructions for a processing unit; and 
a processing unit coupled to said storage unit, said processing unit being 
programmed to disable a network interface of a host if an idle time expires, to 
determine if any packets are to be transmitted, and to enable said network interface if 
at least one packet is determined to be available to be transmitted. 

25. (currently amended) A computer program product stored on a 
computer-readable storage medium, the computer program product having instructions 
for execution by a computer, wherein the instructions, when executed by the computer, 
cause the computer to implement a method comprising the steps of: 

scann i ng data packets by a f i rst computer system to wh i ch the data packets arc 

d i rected, where i n the scann i ng i nc l udes tho computer system process i ng the packets 
by a transport l ayer of a network protocol assoc i ated w i th sa i d commun i cat i ons network 
us i ng s i gnatures from a repos i tory of sa i d signatures; 

determ i n i ng i f sa i d scanned data packets arc ma li c i ous; and 

tak i ng at l east one act i on i f any of the data packets arc determ i ned to be 

ma li c i ous, where i n at l east one app li cation receive queue (ARQ) funct i ons i ntermed i ate 
sa i d transport l ayer and an app li cat i on l ayer of the f i rst computer system to prov i de a 
queue for data from the data packets to a f i rst app li cat i on on the f i rst computer system, 
where i n the scann i ng of the respect i ve data packets occurs before the f i rst app li cat i on 
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rccc i vcG the data from the respect i ve data packets, and where i n sa i d scann i ng step i s 
se l ected from the group cons i st i ng of: 

scann i ng between sa i d transport l ayer and sa i d at l east one ARQ; and 

scann i ng the data packets from said at least one ARQ. 

a) accessing, bv a network intrusion detection process of a target computer 

system, communication to an application receive queue (ARQ) for an application 
running in an application layer of the target computer system, wherein the ARQ 
functions intermediate the application layer and a transport layer of a network protocol 
associated with said communications network to receive data packets for the 
application from the transport layer; 

b) scanning for the application by the network intrusion detection process only 

the data packets accessed bv the network intrusion detection process in a), wherein 
the data packets are directed to the application from a remote host via the 
communications network, and wherein the scanning is after the data packets have 
been processed by the transport layer and after the transport layer has passed the 

processed data packets for receipt bv the application's ARQ: c) determining if 

said scanned data packets are malicious: and 

d) taking at least one action to prevent the application from processing data 

packets from the remote host to the application responsive to c) determining that any of 
the scanned data packets are malicious. 

26. (currently amended) The computer program product according to claim 25, 
wherein said at least one action includes terminating the application, i s se l ected from 
the group cons i st i ng of: 

i nterrupt i ng transm i ss i on of any data packets determ i ned to be ma li c i ous to sa i d 

app li cat i on l ayer of sa i d network protoco l , where i n the i nterrupt i ng i s performed pr i or to 
the f i rst app li cat i on process i ng the ma li cious data packets; 

l ogg i ng of errors re l ated to any data packets determ i ned to be ma li c i ous; 

mod i fy i ng f i rewa ll ru l es of a host computer if any data packets arc determ i ned to 

be ma li c i ous; 

i nform i ng a network adm i n i strator of any data packets that arc determ i ned to be 
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ma li c i ous; 

i nt i mat i ng sa i d transport l ayer torminato an ex i st i ng connect i on re l ated to any 

data packets determ i ned to be ma li c i ous; 

b l ock i ng network access to a source of any data packets determ i ned to be 

ma li c i ous; 

term i nat i ng the f i rst app li cat i on i f any data packets arc determ i ned to be 

ma li c i ous; and 

not i fy i ng an app li cat i on of an appl i cat i on layer i f any data packets arc 

determ i ned to be ma li c i ous. 

27. (previously presented) The computer program product according to claim 25, 
the steps further comprising transmitting to said application layer any data packets 
determined not to be malicious. 

28. (previously presented) The computer program product according to claim 25, 
wherein said scanning and determining are implemented using a scan module. 

29-30. (canceled) 

31 . (currently amended) The computer program product according to claim 25, 
the steps further comprising obtaining data from said at least one ARCL _app li cat i on 
rece i ve queue (ARQ). 

32. (canceled) 

33. (previously presented) The computer program product according to claim 25, 
the steps further comprising dispatching said data packets to one or more handlers for 
scanning, if said protocol is monitored. 

34. (previously presented) The computer program product according to claim 25, 
wherein said scanning and determining are implemented using a scan daemon. 
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35. (withdrawn) A computer-readable medium of preventing an intrusion in a 
communications network, the computer-readable medium comprising: 

programmed instructions for disabling a network interface of a host if an idle time 
expires; 

programmed instructions for determining if any packets are to be transmitted; 

and 

programmed instructions for enabling said network interface if at least one 
packet is determined to be available to be transmitted. 

36. (new) The method according to claim 1 , wherein said at least one action 
includes modifying firewall rules to prevent reception of data packets from the host 
computer system. 

37. (new) The method according to claim 1 , wherein the directing of the data 
packets to the application from the remote host is via a connection with the remote host 
on the communications network, and wherein said at least one action includes 
intimating the transport layer to tear down the remote host connection. 

38. (new) The method according to claim 37, wherein after intimating the 
transport layer to tear down the remote host connection, the target computer services 
requests on connections other than that remote host connection. 

39. (new) The system according to claim 13, wherein said at least one action 
includes modifying firewall rules to prevent reception of data packets from the host 
computer system. 

40. (new) The system according to claim 13, wherein the directing of the data 
packets to the application from the remote host is via a connection with the remote host 
on the communications network, and wherein said at least one action includes 
intimating the transport layer to tear down the remote host connection. 
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41 . (new) The system according to claim 40, wherein after intimating the 
transport layer to tear down the remote host connection, the target computer services 
requests on connections other than that remote host connection. 

42. (new) The computer program product according to claim 25, wherein said at 
least one action includes modifying firewall rules to prevent reception of data packets 
from the host computer system. 

43. (new) The computer program product according to claim 25, wherein the 
directing of the data packets to the application from the remote host is via a connection 
with the remote host on the communications network, and wherein said at least one 
action includes intimating the transport layer to tear down the remote host connection. 

44. (new) The computer program product according to claim 43, wherein after 
intimating the transport layer to tear down the remote host connection, the target 
computer services requests on connections other than that remote host connection. 
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